Let’s Encrypt requires that the domain requesting certification is “under the control” of the requestee. It does this by validating the domain with either DNS or HTTP. Scripting DNS at this point would be a bit of overkill, so instead I forwarded a port from my router to the server running SABnzbd+. I would have preferred port triggering, but I didn’t spend the time setting it up. I don’t want this port open all of the time to the Internet, and since my router doesn’t have a nice API to work with, I’ll rely on the built-in firewall in Ubuntu.

The firewall is enabled first (ufw enable) and then an outside HTTPS connection (ufw allow https) is allowed.

Simply put, we’re just backing up the current certificates and copying over the new ones into the SABnzbd+ directory.

sudo /etc/init.d/sabnzbdplus restart

SABnzbd+ needs to be restarted to read the newly copied certificates. Now all that needs to be done is to log in to the web UI of SABnzbd+ and enable HTTPS.

sudo ufw allow from 192.168.1.0/24
sudo ufw deny https

Now that the domain is verified and the certificate is installed, let’s close up the opened port on the firewall (ufw deny https). I personally “trust” my local network (but probably shouldn’t), so I use ufw allow from 192.168.1.0/24 to allow any local traffic by default, otherwise you’ll have to adjust the firewall rules as needed.

I can’t just close up my port forwarding, since we’ll need it again whenever it’s time to renew the certificate, which gather my notes on and post about in the near future.

Disclaimer: This is what worked for me, and I’m just using this as a brain dump. I’m not a network security expert, so don’t do anything I say.